Patchwork [ulogd,2/3] add mark event filter

login
register
mail settings
Submitter Ken-ichirou MATSUZAWA
Date April 8, 2014, 10:32 a.m.
Message ID <20140408103218.GC29462@gmail.com>
Download mbox | patch
Permalink /patch/337613/
State Superseded
Delegated to: Eric Leblond
Headers show

Comments

Ken-ichirou MATSUZAWA - April 8, 2014, 10:32 a.m.
This patch adds a new configuration variable which is used to limit
conntrack event to connection of the mark.

Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
---
 configure.ac                    | 15 +++++++++
 input/flow/ulogd_inpflow_NFCT.c | 75 +++++++++++++++++++++++++++++++++++++++--
 2 files changed, 88 insertions(+), 2 deletions(-)
Pablo Neira - April 14, 2014, 12:54 p.m.
On Tue, Apr 08, 2014 at 07:32:19PM +0900, Ken-ichirou MATSUZAWA wrote:
> This patch adds a new configuration variable which is used to limit
> conntrack event to connection of the mark.
> 
> Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
> ---
>  configure.ac                    | 15 +++++++++
>  input/flow/ulogd_inpflow_NFCT.c | 75 +++++++++++++++++++++++++++++++++++++++--
>  2 files changed, 88 insertions(+), 2 deletions(-)
> 
> diff --git a/configure.ac b/configure.ac
> index 522c345..7e5f5fc 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -58,6 +58,20 @@ AS_IF([test "x$enable_nfct" = "xyes"], [
>      AC_DEFINE([BUILD_NFCT], [1], [Building nfct module])
>  ])
>  AM_CONDITIONAL([BUILD_NFCT], [test "x$enable_nfct" = "xyes"])
> +AS_IF([test "x$enable_nfct" = "xyes"], [
> +    AC_MSG_CHECKING([for enable mark filter for event])
> +    AC_CACHE_VAL(ac_cv_nfct_filter_mark,
> +    AC_TRY_COMPILE(
> +        [ #include <libnetfilter_conntrack/libnetfilter_conntrack.h>],
> +        [ int i = NFCT_FILTER_MARK; ],
> +        ac_cv_nfct_filter_mark=yes,
> +        ac_cv_nfct_filter_mark=no))
> +    AC_MSG_RESULT($ac_cv_nfct_filter_mark)
> +    AS_IF([test "x$ac_cv_nfct_filter_mark" = "xyes"], [
> +        AC_DEFINE([HAVE_NFCT_FILTER_MARK], [1], [Building nfct mark event filter])
> +    ])
> +])

I don't find a good reason to add a compile time option for this.

Eric?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/configure.ac b/configure.ac
index 522c345..7e5f5fc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -58,6 +58,20 @@  AS_IF([test "x$enable_nfct" = "xyes"], [
     AC_DEFINE([BUILD_NFCT], [1], [Building nfct module])
 ])
 AM_CONDITIONAL([BUILD_NFCT], [test "x$enable_nfct" = "xyes"])
+AS_IF([test "x$enable_nfct" = "xyes"], [
+    AC_MSG_CHECKING([for enable mark filter for event])
+    AC_CACHE_VAL(ac_cv_nfct_filter_mark,
+    AC_TRY_COMPILE(
+        [ #include <libnetfilter_conntrack/libnetfilter_conntrack.h>],
+        [ int i = NFCT_FILTER_MARK; ],
+        ac_cv_nfct_filter_mark=yes,
+        ac_cv_nfct_filter_mark=no))
+    AC_MSG_RESULT($ac_cv_nfct_filter_mark)
+    AS_IF([test "x$ac_cv_nfct_filter_mark" = "xyes"], [
+        AC_DEFINE([HAVE_NFCT_FILTER_MARK], [1], [Building nfct mark event filter])
+    ])
+])
+
 AC_ARG_ENABLE(nfacct,
        AS_HELP_STRING([--enable-nfacct], [Enable nfacct module [default=yes]]),,[enable_nfacct=yes])
 AS_IF([test "x$enable_nfacct" = "xyes"], [
@@ -156,6 +170,7 @@  Ulogd configuration:
   Input plugins:
     NFLOG plugin:			${enable_nflog}
     NFCT plugin:			${enable_nfct}
+      with MARK event filter		${ac_cv_nfct_filter_mark}
     NFACCT plugin:			${enable_nfacct}
   Output plugins:
     PCAP plugin:			${enable_pcap}
diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c
index 899b7e3..a5cf854 100644
--- a/input/flow/ulogd_inpflow_NFCT.c
+++ b/input/flow/ulogd_inpflow_NFCT.c
@@ -35,6 +35,7 @@ 
 
 #include <sys/time.h>
 #include <time.h>
+#include <ctype.h>
 #include <netinet/in.h>
 #include <netdb.h>
 #include <ulogd/linuxlist.h>
@@ -78,7 +79,7 @@  struct nfct_pluginstance {
 #define EVENT_MASK	NF_NETLINK_CONNTRACK_NEW | NF_NETLINK_CONNTRACK_DESTROY
 
 static struct config_keyset nfct_kset = {
-	.num_ces = 12,
+	.num_ces = 13,
 	.ces = {
 		{
 			.key	 = "pollinterval",
@@ -149,6 +150,11 @@  static struct config_keyset nfct_kset = {
 			.type	 = CONFIG_TYPE_STRING,
 			.options = CONFIG_OPT_NONE,
 		},
+		{
+			.key	 = "accept_mark_filter",
+			.type	 = CONFIG_TYPE_STRING,
+			.options = CONFIG_OPT_NONE,
+		},
 	},
 };
 #define pollint_ce(x)	(x->ces[0])
@@ -163,6 +169,7 @@  static struct config_keyset nfct_kset = {
 #define src_filter_ce(x)	((x)->ces[9])
 #define dst_filter_ce(x)	((x)->ces[10])
 #define proto_filter_ce(x)	((x)->ces[11])
+#define mark_filter_ce(x)	((x)->ces[12])
 
 enum nfct_keys {
 	NFCT_ORIG_IP_SADDR = 0,
@@ -1221,6 +1228,60 @@  static int build_nfct_filter_proto(struct nfct_filter *filter, char* filter_stri
 	return 0;
 }
 
+#if defined HAVE_NFCT_FILTER_MARK
+static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_string)
+{
+	char *p, *endptr;
+	uintmax_t v;
+	struct nfct_filter_dump_mark filter_mark;
+	errno = 0;
+
+	for (p = filter_string; isspace(*p); ++p)
+		;
+	v = strtoumax(p, &endptr, 0);
+	if (endptr == p)
+		goto invalid_error;
+	if ((errno == ERANGE && v == UINTMAX_MAX) || errno != 0)
+		goto invalid_error;
+	filter_mark.val = (uint32_t)v;
+
+	if (*endptr != '\0') {
+		for (p = endptr; isspace(*p); ++p)
+			;
+		if (*p++ != '/')
+			goto invalid_error;
+		for (; isspace(*p); ++p)
+			;
+		v = strtoumax(p, &endptr, 0);
+		if (endptr == p)
+			goto invalid_error;
+		if ((errno == ERANGE && v == UINTMAX_MAX) || errno != 0)
+			goto invalid_error;
+		filter_mark.mask = (uint32_t)v;
+		if (*endptr != '\0')
+			goto invalid_error;
+	} else {
+		filter_mark.mask = UINT32_MAX;
+	}
+
+	ulogd_log(ULOGD_NOTICE, "adding mark to filter: \"%u/%u\"\n",
+		  filter_mark.val, filter_mark.mask);
+	nfct_filter_add_attr(filter, NFCT_FILTER_MARK, &filter_mark);
+
+	return 0;
+
+invalid_error:
+	ulogd_log(ULOGD_FATAL, "invalid val/mask %s\n", filter_string);
+	return -1;
+
+}
+#else
+static int build_nfct_filter_mark(struct nfct_filter *filter, char* filter_string)
+{
+	ulogd_log(ULOGD_FATAL, "mark filter is not supported\n");
+	return -1;
+}
+#endif /* HAVE_NFCT_FILTER_MARK */
 
 static int build_nfct_filter(struct ulogd_pluginstance *upi)
 {
@@ -1264,6 +1325,15 @@  static int build_nfct_filter(struct ulogd_pluginstance *upi)
 		}
 	}
 
+	if (strlen(mark_filter_ce(upi->config_kset).u.string) != 0) {
+		char *filter_string = mark_filter_ce(upi->config_kset).u.string;
+		if (build_nfct_filter_mark(filter, filter_string) != 0) {
+			ulogd_log(ULOGD_FATAL,
+					"Unable to create mark filter\n");
+			goto err_filter;
+		}
+	}
+
 	if (filter) {
 		if (nfct_filter_attach(nfct_fd(cpi->cth), filter) == -1) {
 			ulogd_log(ULOGD_FATAL, "nfct_filter_attach");
@@ -1296,7 +1366,8 @@  static int constructor_nfct_events(struct ulogd_pluginstance *upi)
 
 	if ((strlen(src_filter_ce(upi->config_kset).u.string) != 0) ||
 		(strlen(dst_filter_ce(upi->config_kset).u.string) != 0) ||
-		(strlen(proto_filter_ce(upi->config_kset).u.string) != 0)
+		(strlen(proto_filter_ce(upi->config_kset).u.string) != 0) ||
+		(strlen(mark_filter_ce(upi->config_kset).u.string) != 0)
 	   ) {
 		if (build_nfct_filter(upi) != 0) {
 			ulogd_log(ULOGD_FATAL, "error creating NFCT filter\n");